What is ransomware?

Ransomware attacks have been named by several organisations as one of the biggest cyber threats to businesses, both now and in the cyberworld's future. It is therefore important that businesses are aware of this type of cyber threat and how it can affect the business.

Definition of ransomware

Ransomware is a type of malware, i.e. malicious software such as viruses or worms, that infects a computer, server or network. Ransomware can be divided into two types; locker ransomware and crypto-ransomware. Locker ransomware does not encrypt data or files, but crypto-ransomware does.

Once ransomware has been installed on a device, such as a computer, the ransomware encrypts or downloads files and then locks the owner out of the systems on the computer. All data thus becomes inaccessible to the owner. The data can be documents, pictures, videos, etc.

The owner, or victim, is then told that they must pay a ransom to regain access to their data.

There's many different types of malware, that - just like ransomware - compromises data and have great consequences for the victim:

• Spyware
• Adware
• Scareware

How do ransomware attacks work?

As ransomware is a type of malware, it must infect a device first. This is typically done through phishing, where a person clicks on a link in a phishing email and is sent to a fake home that starts downloading malware to the device.

It can also be done by a person downloading attachments infected with malware from a phishing email or from fake pop-up advertisements on the internet.

Locker ransomware does, as mentioned, not encrypt files and data but will rather start downloading the data and files instead. The cybercriminals behind the attack will look for sensitive data or user data. The cybercriminals will then contact the victim and tell them what kind of data they have come into possession of.

They may threaten to publish the data or contact customers or business partners and tell them that the victim is not looking after their users' data. Cyber criminals will demand a ransom for not carrying out their threats.

Crypto-ransomware is a type of ransomare that encrypts all files and data on accessible drives and hard disks on the device. The cybercriminals will then contact the victim and demand a ransom. The ransom will provide the victim with the decryption key to be used to decrypt the files and data.

Often, after a ransomware attack, a lockscreen will appear with a disclaimer on one of the devices, explaining the conditions and how much money the victims have to pay. It will also tell victims how to buy cryptocurrency, typically Bitcoins, to pay with.

In some cases, cyber criminals will give victims a number for a fake hotline where they can get help to buy Bitcoins and transfer money. The cybercriminals will sometimes release individual files to prove that they are able to decrypt the files and data.

Should you pay the ransom?

For many years, there was no guarantee that cyber criminals would send a decryption key and unlock a company's systems if it paid the ransom. So the general advice was never to pay the ransom. Another great advice is to make regular backups of your data, so that you can restore any compromised data.

This led to a change in the way hackers carried out ransomware attacks. Many companies did not pay the ransom, which removed the source of income for the hackers. As a result, hackers started to provide ransomware-as-a-service (RaaS) and malware-as-a-service (MaaS).

The cybercriminals operate in groups

More and more hackers are working in large groups or networks, and hackers behind ransomware attacks are now selling ransomware-as-a-service. Ransomware-as-a-service is a type of software solution that contains the ransomware itself, which is sold to hackers who don't have the skills to design the ransomware themselves.

Ransomware-as-a-service is therefore provided by hackers who specialise in developing the ransomware and is used to carry out attacks by other hackers, who are not as good at developing the ransomware.

Hackers can either pay for ransomware-as a-service through a subscription scheme or through profit-sharing. In this case, they share the profits with the hacker whom they bought the ransomware from.

This type of ransomware-as-a-service depends on the companies paying the ransom. This results in the hackers behind ransomware attacks guarantee that companies will get their data back if they pay.

Consequences of a ransomware attack

An organisation that falls victim to ransomware can suffer a significant financial loss, as business productivity typically comes to a halt during, and in the period shortly after, the attack.

The company may also lose a lot of data, which can be both business sensitive or personal information. If the hackers release the data and/or contact customers and business partners, this can damage the company's reputation - furthermore, stakeholders may lose trust in the company due to the hacking attack.

In very serious cases, companies may risk legal action if stakeholders sue them.

Ransomware stops business productivity, so the first step after an attack is to limit the attack as much as possible. Then the company can either restore files and data from backups that they hopefully have, or pay the ransom.

Police or intelligence services may get involved, but tracking down ransomware hackers requires many resources that often delay the company's recovery to normal operations. In addition, it is very difficult to catch hackers as they have become experts at hiding their tracks.

Examples of known types of ransomware

WannaCry: This type of ransomware exploited a major security hole in the Microsoft Windows operating system, called EternalBlue, to create a worldwide ransomware worm in 2017 that infected over 250,000 systems before a kill switch was triggered.

NotPetya: This type of ransomware is considered to be one of the most malicious in existence. NotPetya was used in a worldwide cyberattack in 2017 that started by infecting systems in Ukraine. NotPetya infects and encrypts the so-called "master boot record" of Microsoft Windows-based systems and exploits the same vulnerability as WannaCry to spread rapidly.

Some classify it as a "wiper", as the damage caused by NotPetya cannot be repaired and the ransomware is designed in such a way that it's almost impossible to recover the affected systems.

It was also NotPetya that hit Maersk in 2017, costing the company between $250 and $300 million dollars.

CryptoLocker: This was one of the first types of ransomware attacks that required cryptocurrency, in the form of Bitcoin, to decrypt users' data.

It was spread via an email attachment, allegedly from FedEx and UPS, in 2013. The attack cost victims around $27 million dollars in total before a decryption tool was released in 2014.

Bad Rabbit: Bad Rabbit works similarly to NotPetya, but is different in that it allows victims to have their files decrypted if the ransom is paid. In most cases, Bad Rabbit was spread via a fake Flash player update.

There are several Danish and international organisations that have been hit by a ransomware attack succeeding the already mentioned attacks. It's organisations such as Google and 7Eleven that have become targets as well.

Protect your data

There are many different ways you can protect your data from a ransomware attack. We've made a guide with some advice, so you don't end up losing your valuable data: How to build a good ransomware protection.